registry  /  vansrouter  /  0.9.0

vansrouter@0.9.0

VansRouter CLI - Start and manage VansRouter server

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install triggers runtime dependency provisioning; running the CLI/app activates proxy features.
Impact
Can intercept and log AI IDE requests/responses when its MITM feature is enabled.
Mechanism
user-data runtime npm installs and local AI-tool traffic interception
Rationale
The package is not proven malicious, but it combines install-time dependency fetching with a concrete AI IDE traffic-interception capability. Treat as a warning for dangerous capability rather than a publish block.
Evidence
package.jsonhooks/postinstall.jshooks/sqliteRuntime.jshooks/trayRuntime.jsapp/src/mitm/server.js~/.9router/runtime~/.9router/logs/mitm
Network endpoints7
api.individual.githubcopilot.comdaily-cloudcode-pa.googleapis.comcloudcode-pa.googleapis.comq.us-east-1.amazonaws.comcodewhisperer.us-east-1.amazonaws.comruntime.us-east-1.kiro.devapi2.cursor.sh

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `hooks/postinstall.js` on install.
  • `hooks/sqliteRuntime.js` installs `sql.js` and `better-sqlite3` into `~/.9router/runtime`.
  • `hooks/trayRuntime.js` installs `systray2`, removes legacy tray files, and chmods its binary.
  • `app/src/mitm/server.js` is a bundled MITM proxy targeting Copilot, Cursor, Kiro, and Antigravity hosts.
  • MITM code stores intercepted request/response data under the package data directory.
Evidence against
  • Postinstall only provisions declared runtime dependencies; it does not configure foreign AI-agent files.
  • Runtime installs use npm with fixed package names and versions where specified.
  • No credential harvesting or unrelated exfiltration path was confirmed.
  • MITM targets are explicit product functionality and activation is runtime/user-driven.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,426 file(s), 19.5 MB of source, external domains: 127.0.0.1, api.example.com, babeljs.io, developer.mozilla.org, dotenvx.com, drafts.csswg.org, example.com, feross.org, fetch.spec.whatwg.org, fonts.googleapis.com, getbootstrap.com, github.com, json-schema.org, lodash.com, mapbox-node-pre-gyp-public-testing-bucket.s3.us-east-1.amazonaws.com, mimesniff.spec.whatwg.org, mths.be, nextjs.org, npms.io, openjsf.org, raw.githubusercontent.com, react.dev, registry.npmjs.org, tabatkins.github.io, telemetry.nextjs.org, trace.nextjs.org, twitter.com, underscorejs.org, webidl.spec.whatwg.org, webpack.js.org, www.apple.com, www.iana.org, www.npmjs.com, www.w3.org
Oversized source lightweight scan
app/_nm/playwright-core/lib/coreBundle.js3.20 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoDynamicRequireHighEntropyStrings
app/_nm/playwright-core/lib/utilsBundle.js3.00 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoDynamicRequireHighEntropyStringsUrlStringsdotenvx.comgithub.com

Source & flagged code

17 flagged · loading source
package.jsonView file
scripts.postinstall = node hooks/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node hooks/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
app/.next-cli-build/server/chunks/2521.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

app/.next-cli-build/server/chunks/2521.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Secret Pattern

RSA private key in app/.next-cli-build/server/chunks/2521.js

app/.next-cli-build/server/chunks/2521.jsView on unpkg · L1
app/_nm/next/dist/server/lib/start-server.jsView file
33const _os = /*#__PURE__*/ _interop_require_default(require("os")); L34: const _child_process = require("child_process"); L35: const _watchpack = /*#__PURE__*/ _interop_require_default(require("next/dist/compiled/watchpack"));
High
Child Process

Package source references child process execution.

app/_nm/next/dist/server/lib/start-server.jsView on unpkg · L33
app/_nm/next/dist/next-devtools/server/launch-editor.jsView file
371} L372: // cmd.exe on Windows is vulnerable to RCE attacks given a file name of the L373: // form "C:\Users\myusername\Downloads\& curl 172.21.93.52". Use an access list
High
Shell

Package source references shell execution.

app/_nm/next/dist/next-devtools/server/launch-editor.jsView on unpkg · L371
app/_nm/next/dist/compiled/browserslist/index.jsView file
1(()=>{var __webpack_modules__={52:e=>{function BrowserslistError(e){this.name="BrowserslistError";this.message=e;this.browserslist=true;if(Error.captureStackTrace){Error.captureSta...
High
Eval

Package source references dynamic code evaluation.

app/_nm/next/dist/compiled/browserslist/index.jsView on unpkg · L1
app/server.jsView file
1const path = require('path') L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

app/server.jsView on unpkg · L1
app/_nm/next/dist/compiled/@edge-runtime/primitives/load.jsView file
39}; L40: var __privateIn = (member, obj) => { L41: if (Object(obj) !== obj) ... L71: L72: // ../../node_modules/.pnpm/undici@6.21.0/node_modules/undici/lib/core/symbols.js L73: var require_symbols = __commonJS({ ... L98: kBodyUsed: Symbol("used"), L99: kBody: Symbol("abstracted request body"), L100: kRunning: Symbol("running"), ... L564: } L565: const code = this.code = key.charCodeAt(index); L566: if (code > 127) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

app/_nm/next/dist/compiled/@edge-runtime/primitives/load.jsView on unpkg · L39
src/cli/tray/autostart.jsView file
3const os = require("os"); L4: const { execSync } = require("child_process"); L5: ... L36: } L37: const computed = path.resolve(__dirname, "..", "..", "..", "cli.js"); L38: if (fs.existsSync(computed)) return computed; ... L47: function enableAutoStart(cliPath) { L48: const platform = process.platform; L49: L50: if (!["darwin", "win32", "linux"].includes(platform)) return false; L51: if (platform === "linux" && !process.env.DISPLAY) return false; L52:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli/tray/autostart.jsView on unpkg · L3
app/src/mitm/server.jsView file
24Private-MAC: `+b.digest().toHex()+`\r L25: `,s};ma.publicKeyToOpenSSH=function(e,t){var a="ssh-rsa";t=t||"";var r=Ce.util.createBuffer();return vr(r,a),Et(r,e.e),Et(r,e.n),a+" "+Ce.util.encode64(r.bytes())+" "+t};ma.private... L26: `);o=l.pop()||"";for(let f of l){let c=f.trim();if(!c||!c.startsWith("data:"))continue;let g=c.slice(5).trim();if(g!=="[DONE]"){process.env.DEBUG_MITM&&Ea(`[SSE in] ${g.slice(0,200... ... L32: `)}catch{}}var od=(()=>{let e=new Uint32Array(256);for(let t=0;t<256;t++){let a=t;for(let r=0;r<8;r++)a=a&1?3988292384^a>>>1:a>>>1;e[t]=a}return e})();function ko(e){let t=42949672... L33: `);t.push({role:"tool",tool_call_id:n.toolUseId||"",content:s})}let r=(e.content||"").trim();return(r||a.length===0)&&t.push({role:"user",content:r}),t}function fd(e){let t=e.toolU... L34: $proc = Start-Process powershell -ArgumentList @(
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

app/src/mitm/server.jsView on unpkg · L24
24Private-MAC: `+b.digest().toHex()+`\r L25: `,s};ma.publicKeyToOpenSSH=function(e,t){var a="ssh-rsa";t=t||"";var r=Ce.util.createBuffer();return vr(r,a),Et(r,e.e),Et(r,e.n),a+" "+Ce.util.encode64(r.bytes())+" "+t};ma.private... L26: `);o=l.pop()||"";for(let f of l){let c=f.trim();if(!c||!c.startsWith("data:"))continue;let g=c.slice(5).trim();if(g!=="[DONE]"){process.env.DEBUG_MITM&&Ea(`[SSE in] ${g.slice(0,200... ... L32: `)}catch{}}var od=(()=>{let e=new Uint32Array(256);for(let t=0;t<256;t++){let a=t;for(let r=0;r<8;r++)a=a&1?3988292384^a>>>1:a>>>1;e[t]=a}return e})();function ko(e){let t=42949672... L33: `);t.push({role:"tool",tool_call_id:n.toolUseId||"",content:s})}let r=(e.content||"").trim();return(r||a.length===0)&&t.push({role:"user",content:r}),t}function fd(e){let t=e.toolU... L34: $proc = Start-Process powershell -ArgumentList @( ... L37: ) -Verb RunAs -Wait -PassThru -WindowStyle Hidden; L38: if ($proc.ExitCode -ne 0) { throw "Elevated command exited with code $($proc.ExitCode)" } L39: `;return new Promise((r,n)=>{qo(`powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command ${zo(a)}`,{windowsHide:!0},(s,i,o)=>{if(s){let u=o||s.message;u.includes("ca..
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

app/src/mitm/server.jsView on unpkg · L24
app/src/lib/updater/updater.jsView file
1// Standalone detached updater process. L2: // Spawns `npm i -g <pkg>@latest`, exposes progress via tiny HTTP server. L3: // Survives after parent Next server exits (detached + unref by spawner). L4: L5: const { spawn } = require("child_process"); L6: const http = require("http");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

app/src/lib/updater/updater.jsView on unpkg · L1
src/cli/tray/tray.ps1View file
path = src/cli/tray/tray.ps1 kind = build_helper sizeBytes = 4001 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/cli/tray/tray.ps1View on unpkg
app/.next-cli-build/static/media/ba9851c3c22cd980-s.woff2View file
path = app/.next-cli-[redacted]-s.woff2 kind = high_entropy_blob sizeBytes = 25844 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

app/.next-cli-build/static/media/ba9851c3c22cd980-s.woff2View on unpkg
app/_nm/playwright-core/lib/utilsBundle.jsView file
path = app/_nm/playwright-core/lib/utilsBundle.js kind = oversized_source_file sizeBytes = 3143574 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

app/_nm/playwright-core/lib/utilsBundle.jsView on unpkg
app/.next-cli-build/server/chunks/7947.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Secret Pattern

RSA private key in app/.next-cli-build/server/chunks/7947.js

app/.next-cli-build/server/chunks/7947.jsView on unpkg · L1

Findings

3 Critical10 High8 Medium6 Low
CriticalCritical Secretapp/.next-cli-build/server/chunks/2521.js
CriticalSecret Patternapp/.next-cli-build/server/chunks/2521.js
CriticalSecret Patternapp/.next-cli-build/server/chunks/7947.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processapp/_nm/next/dist/server/lib/start-server.js
HighShellapp/_nm/next/dist/next-devtools/server/launch-editor.js
HighEvalapp/_nm/next/dist/compiled/browserslist/index.js
HighSame File Env Network Executionapp/src/mitm/server.js
HighCommand Output Exfiltrationapp/src/mitm/server.js
HighRuntime Package Installapp/src/lib/updater/updater.js
HighObfuscated
HighShips High Entropy Blobapp/.next-cli-build/static/media/ba9851c3c22cd980-s.woff2
HighOversized Source Fileapp/_nm/playwright-core/lib/utilsBundle.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireapp/server.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli/tray/autostart.js
MediumProtestware
MediumShips Build Helpersrc/cli/tray/tray.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoapp/_nm/next/dist/compiled/@edge-runtime/primitives/load.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings